reCAPTCHA is a user-dialogue system originally developed by Luis von Ahn, Ben Maurer, Colin McMillen, David Abraham and Manuel Blum at Carnegie Mellon University's main Pittsburgh campus, and acquired by Google in September 2009.[1] Like the CAPTCHA interface, reCAPTCHA asks users to enter words seen in distorted text images onscreen. By presenting two words it both protects websites from bots attempting to access restricted areas[2] and helps digitize the text of books.

The reCAPTCHA service supplies subscribing websites with images of words that optical character recognition (OCR) software has been unable to read. The subscribing websites (whose purposes are generally unrelated to the book digitization project) present these images for humans to decipher as CAPTCHA words, as part of their normal validation procedures. They then return the results to the reCAPTCHA service, which sends the results to the digitization projects.

reCAPTCHA's slogan was "Stop spam, read books.",[7] until the introduction of a new version of the reCAPTCHA plugin in 2014; the slogan has now disappeared from the website[8] and from the classic version of the reCAPTCHA plugin.

Contents

Distributed Proofreaders was the first project to volunteer its time to decipher scanned text that could not be read by OCR. It works with Project Gutenberg to digitize public domain material and uses methods quite different from reCAPTCHA.

An example of how a reCAPTCHA challenge looked in 2007,[11] containing the words "following finding". The waviness and horizontal stroke were added to increase the difficulty of breaking the CAPTCHA with a computer program.

Scanned text is subjected to analysis by two different optical character recognition programs. Their respective outputs are then aligned with each other by standard string-matching algorithms and compared both to each other and to an English dictionary. Any word that is deciphered differently by both OCR programs or that is not in the English dictionary is marked as "suspicious" and converted into a CAPTCHA. The suspicious word is displayed, out of context, sometimes along with a control word already known. If the human types the control word correctly, then the response to the questionable word is accepted as probably valid. If enough users were to correctly type the control word, but incorrectly type the 2nd word which OCR had failed to recognize, then the digital version of documents could end up containing the incorrect word. The identification performed by each OCR program is given a value of 0.5 points, and each interpretation by a human is given a full point. Once a given identification hits 2.5 points, the word is considered valid. Those words that are consistently given a single identity by human judges are later recycled as control words.[12] If the first three guesses match each other but do not match either of the OCRs, they are considered a correct answer, and the word becomes a control word.[13] When six users reject a word before any correct spelling is chosen, the word is discarded as unreadable.[13]

The original reCAPTCHA method was designed to show the questionable words separately, as out-of-context correction, rather than in use, such as within a phrase of 5 words from the original document.[14] Also, the control word might mislead context for the 2nd word, such as a request of "/metal/ /fife/" being entered as "metal file" due to the logical connection of filing with a metal tool being considered more common than the musical instrument "fife".[citation needed]

In 2012, reCAPTCHA began using photographs of house numbers taken from Google's Street View project, in addition to scanned words.[15]

In 2013, reCAPTCHA began "actively considering the user’s entire engagement with the CAPTCHA" to predict whether the user was a human or a bot before displaying the captcha, and presenting a "considerably more difficult" captcha in cases where it had reason to think the user might be a bot.[16]

In September 2014 reCAPCTHA began to introduce a "NoCAPTCHA reCAPTCHA" which initially asks users to click on a check box to confirm that they are "not a robot", and only requires a further verification in the form of distorted text or an image question if analysis of the user's "entire engagement" with the CAPTCHA suggests that they may be a bot.[17]

The reCAPTCHA tests are displayed from the central site of the reCAPTCHA project, which supplies the words to be deciphered. This is done through a JavaScriptAPI with the server making a callback to reCAPTCHA after the request has been submitted. The reCAPTCHA project provides libraries for various programming languages and applications to make this process easier. reCAPTCHA is a free service (that is, the CAPTCHA images are provided to websites free of charge, in return for assistance with the decipherment),[18] but the reCAPTCHA software itself is not open source.[19]

Also, reCAPTCHA offers plugins for several web-application platforms, like ASP.NET, Ruby, or PHP, to ease the implementation of the service.[20]

The use of reCAPTCHA has been labelled a "a serious barrier to internet use" for people with sight problems or disabilities such as dyslexia by a BBC journalist.[21]

Andrew Munsell, in his article "Captchas Are Becoming Ridiculous" states "A couple of years ago, I don’t remember being truly baffled by a captcha. In fact, reCAPTCHA was one of the better systems I’d seen. It wasn’t difficult to solve, and it seemed to work when I used it on my own websites." [22] Munsell goes on to state, after encountering a series of unintelligible images that despite refreshing "Again, and again, and again. The captchas were not only difficult for a computer to read, but impossible for a human." Munsell then provided numerous examples.

An example of how reCAPTCHA challenges were presented in 2010,[23] containing the words "and chisels"

The main purpose of a CAPTCHA system is to prevent automated access to a system by computer programs or "bots". On 14 December 2009, Jonathan Wilkins released a paper describing weaknesses in reCAPTCHA that allowed a solve rate of 18%.[24][25][26]

On 1 August 2010, Chad Houck gave a presentation to the DEF CON 18 Hacking Conference detailing a method to reverse the distortion added to images which allowed a computer program to determine a valid response 10% of the time.[27][28] The reCAPTCHA system was modified on 21 July 2010, before Houck was to speak on his method. Houck modified his method to what he described as an "easier" CAPTCHA to determine a valid response 31.8% of the time. Houck also mentioned security defenses in the system, including a high security lock out if an invalid response is given 32 times in a row.[29]

On 26 May 2012, Adam, C-P and Jeffball of DC949 gave a presentation at the LayerOne hacker conference detailing how they were able to achieve an automated solution with an accuracy rate of 99.1%.[30] Their tactic was to use techniques from machine learning, a subfield of artificial intelligence, to analyse the audio version of reCAPTCHA which is available for the visually impaired. Google released a new version of reCAPTCHA just hours before their talk, making major changes to both the audio and visual versions of their service. In this release, the audio version was increased in length from 8 seconds to 30 seconds, and is much more difficult to understand, both for humans as well as bots. In response to this update and the following one, the members of DC949 released two more versions of Stiltwalker which beat reCAPTCHA with an accuracy of 60.95% and 59.4% respectively. After each successive break, Google updated reCAPTCHA within a few days. According to DC949, they often reverted to features that had been previously hacked.

In an August 2012 presentation given at BsidesLV 2012, DC949 called the latest version "unfathomably impossible for humans" - they were not able to solve them manually either.[30] The web accessibility organization WebAIM reported in May 2012, "Over 90% of respondents [screen reader users] find CAPTCHA to be very or somewhat difficult."[31]

On 27 June 2012, Claudia Cruz, Fernando Uceda, and Leobardo Reyes (a group of students from México) published a paper showing a system running on reCAPTCHA images with an accuracy of 82%.[32] The authors have not said if their system can solve recent reCAPTCHA images, although they claim their work to be intelligent OCR and robust to some changes.[clarification needed]

reCAPTCHA frequently modifies its system, requiring hackers to frequently update their methods of decoding, which may frustrate potential abusers.[citation needed]

Only words that both OCR programs failed to recognize are used as control words. Thus, any program that can recognize these words with nonnegligible probability would represent an improvement over state of the art OCR programs.[13]

reCAPTCHA had also created project Mailhide, which protects email addresses on web pages from being harvested by spammers.[33] By default, the email address is converted into a format that does not allow a crawler to see the full email address; for example, "mailme@example.com" would be converted to "mai...@example.com". The visitor would then click on the "..." and solve the CAPTCHA in order to obtain the full email address. One can also edit the pop-up code so that none of the address is visible.